x/vulndb: potential Go vuln in github.com/dragonflyoss/dragonfly: GHSA-c2fc-9q9c-5486 #3972
Description
Advisory GHSA-c2fc-9q9c-5486 references a vulnerability in the following Go modules:
| Module |
|---|
| d7y.io/dragonfly/v2 |
| github.com/dragonflyoss/dragonfly |
Description:
Impact
The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times.
The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation.
if user != proxy.basicAuth.Username || pass != proxy.basicAuth.Password {It is currently undetermined what an attacker...
References:
- ADVISORY: GHSA-c2fc-9q9c-5486
- ADVISORY: GHSA-c2fc-9q9c-5486
- WEB: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Cross references:
- d7y.io/dragonfly/v2 appears in 1 other report(s):
- data/reports/GO-2024-3136.yaml (x/vulndb: potential Go vuln in d7y.io/dragonfly/v2: GHSA-hpc8-7wpm-889w #3136)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.1.0-rc.0
- module: github.com/dragonflyoss/dragonfly
vulnerable_at: 1.0.6
summary: Dragonfly vulnerable to timing attacks against Proxy’s basic authentication in d7y.io/dragonfly
cves:
- CVE-2025-59350
ghsas:
- GHSA-c2fc-9q9c-5486
references:
- advisory: https://github.com/advisories/GHSA-c2fc-9q9c-5486
- advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-c2fc-9q9c-5486
- web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
source:
id: GHSA-c2fc-9q9c-5486
created: 2025-09-17T21:01:20.578971787Z
review_status: UNREVIEWED